add back in stuff

Author: anthony-nhs

packages/cdk/nagSuppressions.ts

@@ -102,6 +102,17 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/S3Endpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
 }
 
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {

packages/cdk/stacks/VpcResourcesStack.ts

@@ -10,7 +10,7 @@ import {
 import {
   CfnSubnet,
   FlowLogDestination,
-  GatewayVpcEndpointAwsService,
+  GatewayVpcEndpoint,
   InterfaceVpcEndpoint,
   InterfaceVpcEndpointAwsService,
   IpAddresses,
@@ -97,19 +97,16 @@ export class VpcResourcesStack extends Stack {
 
     this.vpc = vpc
 
-    // add vpc private endpoints - needed to set up ECR
+    // add vpc private endpoints - needed to run ECS in private subnet
+    // copied from https://stackoverflow.com/a/69578964/9294145
     this.addInterfaceEndpoint("ECRDockerEndpoint", InterfaceVpcEndpointAwsService.ECR_DOCKER)
     this.addInterfaceEndpoint("ECREndpoint", InterfaceVpcEndpointAwsService.ECR)
     this.addInterfaceEndpoint("SecretManagerEndpoint", InterfaceVpcEndpointAwsService.SECRETS_MANAGER)
     this.addInterfaceEndpoint("CloudWatchEndpoint", InterfaceVpcEndpointAwsService.CLOUDWATCH_MONITORING)
     this.addInterfaceEndpoint("CloudWatchLogsEndpoint", InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS)
     this.addInterfaceEndpoint("CloudWatchEventsEndpoint", InterfaceVpcEndpointAwsService.EVENTBRIDGE)
     this.addInterfaceEndpoint("SSMEndpoint", InterfaceVpcEndpointAwsService.SSM)
-
-    // add a gateway endpoint for S3
-    vpc.addGatewayEndpoint("S3Endpoint", {
-      service: GatewayVpcEndpointAwsService.S3
-    })
+    this.addGatewayEndpoint("S3Endpoint", InterfaceVpcEndpointAwsService.S3)
 
     //Outputs
 
@@ -154,10 +151,12 @@ export class VpcResourcesStack extends Stack {
   }
 
   private addInterfaceEndpoint(name: string, awsService: InterfaceVpcEndpointAwsService): void {
-    const endpoint: InterfaceVpcEndpoint = this.vpc.addInterfaceEndpoint(`${name}`, {
+    const endpoint: InterfaceVpcEndpoint = this.vpc.addInterfaceEndpoint(name, {
       service: awsService
     })
 
+    // vpc endpoints do not support tagging from cdk/cloudformation
+    // so use a custom resource to add them in
     new AwsCustomResource(this, `${name}-tags`, {
       installLatestAwsSdk: false,
       onUpdate: {
@@ -169,7 +168,7 @@ export class VpcResourcesStack extends Stack {
           Tags: [
             {
               Key: "Name",
-              Value: `${this.stackName}-${name}-endpoint`
+              Value: `${this.stackName}-${name}`
             }
           ]
         },
@@ -183,4 +182,36 @@ export class VpcResourcesStack extends Stack {
 
     endpoint.connections.allowFrom(Peer.ipv4(this.vpc.vpcCidrBlock), endpoint.connections.defaultPort!)
   }
+
+  private addGatewayEndpoint(name: string, awsService: InterfaceVpcEndpointAwsService): void {
+    const endpoint: GatewayVpcEndpoint = this.vpc.addGatewayEndpoint(name, {
+      service: awsService
+    })
+
+    // vpc endpoints do not support tagging from cdk/cloudformation
+    // so use a custom resource to add them in
+    new AwsCustomResource(this, `${name}-tags`, {
+      installLatestAwsSdk: false,
+      onUpdate: {
+        action: "createTags",
+        parameters: {
+          Resources: [
+            endpoint.vpcEndpointId
+          ],
+          Tags: [
+            {
+              Key: "Name",
+              Value: `${this.stackName}-${name}`
+            }
+          ]
+        },
+        physicalResourceId: PhysicalResourceId.of(Date.now().toString()),
+        service: "EC2"
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({
+        resources: AwsCustomResourcePolicy.ANY_RESOURCE
+      })
+    })
+  }
+
 }